Binder is an IPC (Inter Process Communication) component that forms the basis of Android. There are multiple subsystems in Android and the communication between them is provided by Binder. In this blog post, we will trigger a UAF vulnerability (CVE-2019-2215) in Binder from scratch. After preparing the necessary environment and tools, we will try to reach the KASAN output with the POC exploit.
From the list above you just need to install Ubuntu, for the rest we will follow a step-by-step process. Once the Ubuntu installation is complete, you should install the Java 8 JRE packages on your computer with the `sudo apt install openjdk-8-jre-headless` command.
After this stage, download Android Studio using snap by writing `sudo snap install android-studio`.
Except for Kernel and Exploit, we next download all the remaining requirements with the help of Android Studio.
When you download and open Android Studio with snap, it will create a new folder named Android in your home directory. It will load all the tools we will use in another folder named Sdk under the Android folder.
After Android Studio installation is complete, we need to open SDK Manager with More Actions button and download other requirements such as Android Emulator and NDK.
Open the SDK Tools tab, choose the NDK, Emulator, SDK Platform-Tools sections, and then download them by clicking apply.
After completing these processes, necessary environment for the POC is now successfully created. In order to use the tools provided by Android Studio from the terminal, we need to make certain changes in the PATH.
Now, we are ready to start.
You can change the options you see above, which include the device skin and certain variables such as RAM, Camera, Sensor. Since they are not critical for reproduction, they can be changed as desired.
Now, we choose System Image for the device we are creating. Downloaded system images are stored in `~/Android/Sdk/system-images` folder. You can download the image you want via the download button. In the example, we will use x86_64 Android 10.
Next, we define a name for device and create the device.
Once the device is created, it will be visible in the list. At this point, it is possible to run the device over Android-Studio, but after this process, we will work completely through the terminal. We will need it to read the kernel outputs and run the emulator with specific parameters.
There are multiple kernels distributed by Google for the use on Android. The Goldfish kernel has been developed to work in the emulator. Goldfish 4.14 Kernel for Android 10 is running smoothly. In the vulnerability that we will reproduce, the KASAN config must be enabled while the kernel is being built. In addition, the lines where the vulnerability is resolved are deleted and the kernel is built in a vulnerable way. Apart from these, each different kernel and Android version brings with it different compiler sets. The compiler we will use here will be gcc-4.9-android-10-r47. Let’s download the kernel and compiler set from the links below.
After moving the downloaded files to the same directory, we first need to make some changes on the PATH.
In example, we have two folders under the aosp directory, src and x86_64-linux-android-4.9. Among them, src contains the kernel codes, while x86_64-linux-android-4.9 contains the compiler set.
With these variables that we export sequentially, we can use the compiler set we specially downloaded while building the kernel. Then we go to kernel files in the src directory and configure x86_64_ranchu_defconfig file under the /arch/x86/config directory for KASAN.
With the required additions to the config file, KASAN and some other useful kernel features become enabled.
The next step is to comment out certain code lines to make the kernel vulnerable again.
As can be seen here, the vulnerability was fixed by adding an if block. (LINK)
We can make a vulnerable kernel by deleting the if block from the /drivers/android/binder.c file in src folder.
Now vulnerable KASAN kernel is ready and we begin the building phase. We run the make x86_64_ranchu_defconfig command after going to src, which is the kernel home directory. And then we start building by running the make command in the same directory. After the building process, which takes 5-10 minutes on average, the custom kernel will be ready on /arch/x86/boot/bzImage.
Now we are ready to run the emulator with a custom kernel. For this, it is enough to write the following command.
emulator @POC -no-snapshot -verbose -kernel "bzImage_Full_Path" -show-kernel
After that, what needs to be done in the remaining part is to compile the POC code and run it on a custom android device with the help of adb. And then it will be possible to see the USE AFTER FREE warning among the kernel messages.
We Solve Complex Technical Challenges VerSprite's Research and Development division (a.k.a VS-Labs) is comprised of individuals who are passionate about diving into the internals of various technologies. Our clients rely on VerSprite's unique offerings of zero-day vulnerability research and exploit development to protect their assets from various threat actors. From advanced technical security training to our research for hire B.O.S.S offering, we help organizations solve their most complex technical challenges.